PT-2025-36627 · Maven · Org.Xwiki.Platform:Xwiki-Platform-Skin-Skinx
Publicado
2025-09-03
·
Atualizado
2025-09-03
CVSS v4.0
9.3
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Impact
It's possible to get access and read configuration files by using URLs such as
http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false.This can apparently be reproduced on Tomcat instances.
Patches
This has been patched in 17.4.0-rc-1, 16.10.7.
Workarounds
There is no known workaround, other than upgrading XWiki.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Attribution
The vulnerability was reported by Gregor Neumann.
Correção
Relative Path Traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Org.Xwiki.Platform:Xwiki-Platform-Skin-Skinx